[go: up one dir, main page]

MXPA04007410A - Moving principals across security boundaries without service interruption. - Google Patents

Moving principals across security boundaries without service interruption.

Info

Publication number
MXPA04007410A
MXPA04007410A MXPA04007410A MXPA04007410A MXPA04007410A MX PA04007410 A MXPA04007410 A MX PA04007410A MX PA04007410 A MXPA04007410 A MX PA04007410A MX PA04007410 A MXPA04007410 A MX PA04007410A MX PA04007410 A MXPA04007410 A MX PA04007410A
Authority
MX
Mexico
Prior art keywords
authority
account
authentication
principal
copy
Prior art date
Application number
MXPA04007410A
Other languages
Spanish (es)
Inventor
D Satagopan Murli
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Publication of MXPA04007410A publication Critical patent/MXPA04007410A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • G06Q20/3674Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Finance (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

Description

MAJOR MOVEMENT THROUGH SECURITY LIMITS WITHOUT SERVICE INTERRUPTION FIELD OF THE INVENTION This invention relates in general to network management and more in particular, relates to a system and method for authenticating principals in a network environment.
BACKGROUND OF THE INVENTION As computer networks become indispensable within industrial and business environments, users more frequently require access to resources located on a computer away from their own machine. However, the possibility of access for remote users gives rise to many concerns regarding security. For example, a remote user may have access to data to which he has no authorization and in some cases may destroy or alter such data. Accordingly, most network domains require the user to register and be authenticated before gaining access to resources within the domain. Authentication is intended to ensure that the user's identity and associated permissions are known before granting access. The authentication process includes reviewing whether the access is appropriate and then either taking or denying the access to the results of the review.
As used here, a principal is an entity (typically a person, a computer, an application or service) that attempts to gain access to an insured resource or facility (for example, an application). Authentication is the process to test or verify identity. An authority is a trusted entity that is used to provide authentication services with respect to a certain group of principals. For a given authority, it trusts the principals once they are already authenticated, but can not trust other authorities with respect to having their other principals duly authenticated. For this reason, a namespace convention has been developed, whereby the particular authorities authenticate only the principals whose account IDs reside in a given name space. In particular, an account ID usually comprises a user identifier portion, and a portion of authentication authority. The authentication authority portion of the account ID identifies the name space of the principal ID and therefore the authority that must authenticate the principal. The identifier portion of principal usually identifies the particular user different from another user within the same namespace. Thus, for example, the account ID bob (¾dev. Microsoft.com must be authenticated by the authority of the domain dev.microsoft.com, while the ID bob (a) mktq.microsoft must be authenticated by the authority of the domain mktg.microsoft.com.
This solution has granted a certain level of security with respect to the resources of the network, however, the static nature of the divisions in the namespaces create additional problems. For example, when a user moves from one domain to another or access is required through the boundaries of the domain of the present system, it is not easy to adapt it. In the first case, the user is required to obtain a new account ID that identifies the new domain name space better than the old domain, while in the latter case, the user must obtain an additional account in the name space appropriate or there must be strong administrative confidentiality (trust) between the authorities.
BRIEF DESCRIPTION OF THE INVENTION The embodiments of the invention provide a new network architecture that allows the alteration of the namespace convention in the authentication of the principal, so that the principals can move through the security limits without changing the ID of the accounts, while at the same time protecting the resource provided by the previous methods. The architecture in accordance with certain embodiments of the invention comprises a super authority that has responsibility for a plurality of authentication authorities. When an authentication authority receives a registration request, transmits the request to the super authority to make a decision regarding which authentication authority the principal associate must authenticate. In response, the super authority evaluates the identity catalog to determine which authority should authenticate the principal. The identity catalog comprises in one embodiment of the invention, a copy of each account ID for an authentication authority. The copy is fixed by policies or is rather restricted with respect to namespace limits, so unlike previous systems, two different authentication authorities can authenticate the same namespaces, and any authentication authority could authenticate in multiple namespaces. For example, the copy may be based on the affiliation of the organization of principals within a company or the geographic location of principals. Once the authentication authority has been identified by the super authority, the super authority directly sends the registration request to the appropriate authority for authentication or otherwise, causes the request to be sent to the appropriate authority for authentication. The additional features and advantages of the invention will be apparent from the following detailed description of the illustrative embodiments, which proceed with reference to the accompanying figures.
BRIEF DESCRIPTION OF THE DRAWINGS While the appended claims establish the characteristics of the present invention with particularity, the invention together with its objectives and advantages can be better understood from the following detailed description taken together with the accompanying drawings. Figure 1 is a block diagram which generally illustrates an architecture of a plural exemplary device in which the embodiments of the present invention can be implemented. Figure 2A is a schematic diagram of an example of a general network architecture within which the authentication authorities associated with the principals can be implemented. Figure 2B is an exemplary logic diagram of the associations between principals and authentication authorities. Figure 3A is a schematic diagram of a general network architecture within which a super authority can be implemented within one embodiment of the invention. Figure 3B is an exemplary logic diagram of the associations between the super authorities, the principals, and the authentication authorities in accordance with one embodiment of the invention. Figure 4A is a schematic diagram illustrating a super authority within an environment that can be used to implement an embodiment of the invention.
Figure 4B is a schematic diagram illustrating a catalog of identities in accordance with an embodiment of the invention, for the purpose of copying the account identifiers for the authentication authorities. Figure 5 is a flow diagram showing the steps that can be used during registration to authenticate a master account ID in accordance with a mode of the invention.
DETAILED DESCRIPTION OF THE INVENTION With reference to the drawings, in which like reference numerals refer to equal elements, the invention is illustrated implemented in an appropriate computing environment. Although not required, the invention will be described within the general context of computer executable instructions, such as program modules, to be executed by a computer. In general, program modules include routines, programs, objects, components, and data structures that perform particular tasks or implement abstract data types. In addition, those skilled in the art will appreciate that the invention can be practiced with other configurations of the computer system, including handheld devices, multi-processor systems, consumable electronics based on microprocessors or programmable, PC networks, minicomputers, main computers and his peers. The invention can also be practiced in distributed computing environments where the tasks are carried out by remote processing devices that are linked through a communications network. In a distributed computing environment, the program modules can be located in a local or remote computing storage medium. This description begins with a description of a general-purpose computing device that can be used in the exemplary system for implementing the invention, after which the invention will be described in greater detail with reference to Figures 2 through 5. reference now to Figure 1, there is shown a general purpose computing device in the form of a conventional computer 20, including a processing unit 21, a system memory 22 and a bus 23 of the system that couples the different components of the system including the system memory with the processing unit 21. The busbar 23 of the system can be of any type of busbar structures including a memory bus or memory controller, a peripheral busbar, and a local busbar that uses a variety of busbar architectures. The system memory includes a read-only memory (ROM) 24, and a random access memory (RAM) 25. A basic input / output system 26 (BIOS) containing the basic routines that aid in the transfer of information between the elements within a computer 20, such as during startup, is stored in a ROM 24. The computer 20 also includes a hard disk drive 27 that reads and writes on a hard disk 60, a magnetic disk unit 28 that reads or writes to a removable magnetic disk 29 and an optical disk unit 30 which reads and writes to a removable optical disk 31, such as a CD-ROM or other optical medium. In addition to the aforementioned computer readable media, a communication medium typically incorporates computer-readable instructions, data structures, program modules and other data into a modulated data signal such as a carrier wave or other transport mechanism and includes a means of of information delivery. The term "modulated data signal" means a signal having one or more of its characteristics adjusted or changed in such a way as to encode the information of the signal. By way of example, not limiting, the communication means includes wired means such as a wired network or a direct connection, and wireless means such as a wireless acoustic, RF, infrared, or other wireless means. Combinations of any of the above should also be included within the scope of computer readable media. The disk unit 27, the hard disk unit 28 and the optical disk unit 30 are connected to the busbar 23 of the system through a hard disk interface 32, a magnetic disk interface 33 and an interface 34. of optical disc drive, respectively. The units and their associated computer-readable media provide non-volatile storage of computer-readable instructions, data structures, program modules and other data for the computer 20. Although the exemplary environment described herein employs a hard disk 60, a disk 29 removable magnetic and removable optical disc 31, those skilled in the art will appreciate that other types of computer readable media can be used that can store data accessed by the computer, such as magnetic cartridges, memory cards flash, digital video discs, Bernoulli cartridges, random access memories, read-only memories, storage area networks, and their peers, within the exemplary operating environment. Various program modules can be stored on hard disk 60, magnetic disk 29, optical disk 31, ROM 24, or RAM 25, including operating system 35, one or more application programs 36, other modules of program and program data. A user may enter commands into information within the computer 20 through the input devices such as a keyboard 40 and a pointing device 42. Other input devices (not shown) may include a microphone, a command lever, a game pad, a satellite disk, a scanner or its like. These and other input devices are often connected to the processing unit 21 through a serial port interface 46 which is coupled to the busbar of the system, but can be connected to another interface, such as a parallel port, a Game port or a universal serial bus (USB) or a network interface card. A monitor 47 or other type of display device also connects to the bus 23 of the system through an interface, such as a video adapter 48. In addition to the monitor, computers can also include other peripheral output devices, not shown, such as speakers and printers. Computer 20 operates in a network environment with the use of logical connections to one or more remote computers, such as a remote computer. The remote computer 49 can bea server, a router, a network PC, a personal computer, an attached device or a common network node, and typically includes many or all of the elements described above in relation to the computer 20, although the storage device 50 memory has been illustrated in Figure 1. The logical connections illustrated in Figure 1 include a local area network (LAN) 51, and a wide area network (WAN) 52. Such network environments are common in offices, networks, computing worldwide, intranets and the Internet. When used in a LAN environment, the computer 20 connects to the local network 51 through a network interface or adapter 53. When used in a WAN network environment, the computer 20 typically includes a modem 54 or other means for establishing communications over the WAN 52. The modem 54, which can be internal or external, can be connected to the bus 23 of the system. through a serial port interface 46. The program modules illustrated in relation to computer 20, or portions thereof, may be stored in the remote memory storage device, if present. It should be appreciated that the network connections shown are exemplary and other means of establishing a communication link between the computers can be used. In the present, the invention will be described generally with reference to the actions and symbolic representations of operations that are carried out by one or more computers, unless otherwise indicated. As such, it should be understood that actions and operations often referred to as computer executable, include manipulation by the computer's processing unit, by electrical signals that represent data in a structured way. This manipulation transforms the data or maintains it in its locations in the computer's memory system, which reconfigures or alters the operation of the computer in a manner well known to those skilled in the art. The data structures where the data is kept are physical locations of the memory that have particular properties defined by the data format. However, although the invention is described in the above context, it is not intended to limit, since those skilled in the art will appreciate that the different actions and operations described herein can be implemented in hardware. Within the following description, computing devices such as authentication devices and super authority devices are as described above with respect to Figure 1, with reference to computer 20 and / or remote computer 49, or alternatively, be another type of computing device. Figure 2A illustrates schematically an exemplary network environment 200, within which network resource management techniques have been used. In particular, the main A 201, the main B 203, main C 205, main D 207, main E 215 and principal F 211 each associated with one of the authority X 213, the authority Y 215 and the authority Z 217. The main and at least their respective authentication authorities are linked in communication through the network 219. Each principal can be represented in the network 219 by a computer such as the computer 20 described with respect to Figure 1, a work station or any other type of computing device with the ability to carry out the necessary network communication and processing tasks. The network 219 can comprise any number and type of network connections that include wired or wireless connections, LAN, WAN, and Internet connections and any combination thereof, as well as another type of network connection.
In the existing techniques, each of the authorities X 213, the authority Y 215, and the authority Z 217 are responsible for authenticating account IDs with a particular name space, so that when an account ID is received for its authentication, immediately get rid of your account ID from the authority responsible for authentication. Thus, when one of the principals tries to register in a particular domain (that is, the network resources within the namespace associated with a particular authority), the appropriate authority carries out authentication by a number of known protocols, which are adapted for that purpose and grant or deny access to the main one. It should be noted that although the main 201, 203, 205, 207, 209, 211 may only be associated with a number of authorities 213, 215, 217, the network connections may exist within the environment 200 so that the principal communicates directly or indirectly with the authorities or machines in other domains. With reference to Figure 2B, the logical domain architecture 202 corresponding to the network diagram of Figure 2A is schematically shown. In the example shown, the main A 201 and the main C 205 are associated with (for example, they have accounts with) the authority X 213, the principal B 203, the principal D 207 and the principal F 211 are associated with the authority Y 215, and the main E 209 is associated with the Z authority 217. Although each principal may or may not have network connectivity with respect to the authorities and machines other than its respective associated authentication authority, such connections are not illustrated in the structure 202 logic of Figure 2B since the structure 202 of Figure 2B only illustrates the authentication relationships. Due to the namespace convention that has been adopted for security reasons for network resources as described above, it is not possible in the present system to move a principal from one domain to another without changing the account ID of the domain. principal, which results in a potential service interruption. That is, since the account ID comprises a name space identifier to facilitate authentication, and since the authentication authorities authenticate in non-overlapping namespaces, an account ID that can be used with respect to a particular authority , can not be used with respect to another authority, although the permission for access in the second domain is granted. There are many reasons why a company may choose to maintain a network system composed of multiple domains or have multiple authorities, and that particular company wants to move the major among such multiple domains. For example, in a merger of companies, a single company or company can be formed into separate pieces that were previously associated with one or more domains. When the identities of the training companies are to be maintained, the resulting network of companies often comprises, as component parts, the domains associated with the merged companies. In another example a multi-regional or multi-national corporation may be required by law to maintain separate control domains. For example, a multi-national banking company by law may be required to establish a separate control domain for personnel management within a particular country, so that control of local activities and access to local data is verified. authorized only for local personnel. Other reasons for maintaining multiple authorities include administrative isolation and data isolation. The main one of administrative isolation is useful when the decentralized conglomerates want to share resources, up to a point, but do not want to share the management of the resources or the main ones associated with them. The main data isolation is useful when the network resources include confidential data or resources, Valuables and the creation of multiple authorities minimizes the number of people who can access a particular group of resources. As mentioned before, it is often useful or convenient to move a principal through its security limits. For example, this is often desired when an individual user, associated with a particular user account, changes positions within a company, or changes from one division to another. When each division is associated with its own authority, the transferred employee will need his account transferred from one authority to another.
In the prior techniques, this required a change in the account ID and the interruption of service or access. Another exemplary situation where it may be desirable to change a user account is after an acquisition, when a part of the transaction wishes to migrate its principals to a pre-existing authority associated with the transaction. The system of exemplary mode described here maintains administrative isolation and data isolation while allowing the principal to move and the authority to be changed without interruption of service. In general, this level of performance is achieved with the use of a super authority along with a catalog of identities. As will be described in more detail below, the super authority is not an authentication authority, rather it directs an attempt to access an appropriate ordinary authority for authentication. The super authority uses a catalog of identities to facilitate this task. The identity catalog effectively copies the account IDs for the authentication authorities, whereby each account ID is associated with a single authentication authority. The schematic diagram of Figure 3A illustrates a network architecture 300 within which the super authority can be implemented in accordance with one embodiment of the invention. The super authority can also be called as the control authority, since it controls the authentication of principals, but in reality it does not carry out the authentication with respect to those principals. In addition to the main and authentication authorities analogous to those shown in Figure 2A, the architecture 300 also includes one or more super authorities illustrated by a super authority I (321) and super authority II (323). Each super authority 321, 323, can be connected through networks 319 with all or some of the entities of the network shown in the Figure. However, the only connection required is between the super authority 321, 323 and any authority or authentication authorities associated with that super authority. The interrelation between the authentication authorities and the super authorities will be explained in more detail below. With reference to Figure 3B, an exemplary logical relationship between authentication authorities and super authorities through a logical structure 302 is illustrated schematically. As shown, each super authority 321, 323 is associated with one or more authentication authorities, while each authentication authority is associated with a maximum of one super authority. It should be noted that although an authority can be associated with a single principal and / or a super authority can be associated with a single authority, such situations are typically, but not necessarily, transient. Although the invention does not require that each authentication authority be associated with a super authority, it is preferable to tend to simplify administration and authentication tasks. In the illustrated example, super authority I (321) is associated with authority X (313), and authority Y (315), while super authority II (323) is associated with authority Z (317). In turn, each of the authority X (313), the authority Y (315) and the authority Z (317) is associated with users or main individuals, for example, private accounts. However, unlike other authentication techniques, the link between the authentication authorities and the main ones is not based on non-overlapping namespaces, instead, it is based on policy options incorporated in the identity catalog maintained. by the relevant super authority. The identity catalog, which will be described in more detail below, essentially copies each account identifier from the principal to an authentication authority, and the catalog copy can be changed without changing the account identifiers. Because the copy is set by policy or is restricted in some other way with respect to name space boundaries, two different authentication authorities can be authenticated in the same namespace, and any authentication authority can authenticate in multiple namespaces. The copy can be based on the affiliation of the main organization within the company, the geographical location of the main, importance, position, etc. Figure 4A shows a schematic representation of a super authority, such as super authority I (321) and super authority II (323). The diagram of Figure 4A is provided for purposes of illustration and simplification, and represents a possible implementation of super authority 401. The invention includes other implementations, as will be recognized by persons skilled in the art. The super authority 402 is composed of a network interface 403, a logical authority resolution 405, and a catalog 407 of identities. The components are interrelated with communication so that the network interface 403 and the identity catalog 407 are available to the authority resolution logic 405. Super authority 401 can be implemented in various types of computing devices. In one embodiment of the invention, the super authority 401 is implemented in a service, and the super authority components 401 are software and element modules as described above in relation to Figure 1. In one embodiment of the invention, the communication paths between the components comprise a bus or internal communication paths of the server's computer. The details of the catalog 407 of identities in accordance with one embodiment of the invention are schematically shown in Figure 4B. In particular, the identity catalog 407 provides a copy of the main account ID (eg, bobsm¡th @ msn.com) for the authentication authorities. The copy is illustrated in Figure 4B as a one-to-one copy in a tabular format, where each entry 453 in an identity column 455 is topped through the table at a corresponding entry 457 in a 459 authority column. authentication. As illustrated in the previous example, the copy of the account ID of the principal for the authentication authorities does not need to be related to the boundaries of the namespace. For example, the clients in the "msn.com" domain are authenticated by the authentication authority A and the authentication authority B. The same is true for customers in the "Microsoft.com" domain. By changing the copy in the identity catalog, it results in a new copy of the relevant principal in a different authentication authority under the same super authority. As described above, this has advantages since the responsibility for authentication can be altered without requiring the alteration of the ID of the account itself. As a review, the operation of super authority 401 is as follows in accordance with one embodiment of the invention. A machine belonging to a user or principal such as a machine tagged master A (413) makes contact with an authority, such as resident in the 411 machine-labeled authority requesting access to the resources. This request may be in the signature of a record in a request or attempt. The contacted authority 411 then sends the request to the super authority 401 through the network 409 and the network interface 403 for the identification by the logic 405 of authority resolution by an appropriate authority, with the use of the catalog 407 of identities, to authenticate the principal identified in the request. The super authority 401 then directly transmits the authentication request to the selected authentication authority or causes it to be transmitted, as per the initial receiving authority. The selected authentication authority may not be the authentication authority that initially received the registration attempt from the principal. It should be noted that the process for changing the contents of the identity catalog 407, for example, in order to recopy the given account ID for another authentication authority, it is also preferably carried out when necessary by the authority resolution log 405, in accordance with one embodiment of the invention. Typically, an administrator issues commands to cause the authority resolution log 405 to make appropriate alterations in the identity catalog 407. Such commands can be received through the user interface of the computer hosting the super authority 401 or it can be carried through the network interface 403 or another network connection from a remote location. The flow chart 500 of Figure 5 describes in more detail the operation of a novel architecture described herein, while processing a request to obtain access to network resources. In particular, in step 502, the principal attempts to register to access the particular network resources by sending a registration request to an authority. The request includes the account ID of the principal, which typically consists of an individual identifier and a domain identifier as shown in Figure 4B. In step 503, the authority receiving the request does not immediately decide whether or not to authenticate the requested principal, but instead sends the request to the super authority responsible for that particular receiving authority. Then, in step 505, the super authority extracts the information from the account ID for transmission and uses the account ID information, in step 507, as a key within the identification table to identify the authority of the account. authentication associated with that particular principal. It should be noted that the super authority first checks to determine if the particular sending authority is one for which a super authority is responsible. An authority identifier can be used for this purpose. Also, it should be noted that the authentication authority associated with the identity of the particular principal may or may not be the same as the authority that received and passed the registration request, depending on the content in the identity catalog. In step 509, the super authority causes the registration request to be transmitted to an appropriate authority identified through the identity catalog. In this step, the super authority can send the request directly or cause a third party to send it. The process of sending the request directly can be called "chaining". However, chaining is not required and the request can be filled through other mechanisms. For example, the super authority having resolved the appropriate authentication authority in step 507 can "refer" to the request instead of chaining it. The reference covers that the super authority responds to the authority that sent the request and transmit to the authority the identity of the appropriate authentication authority. The request is then passed to the appropriate authentication authority from the authority that initially sent the request to the super authority. While both methods, chaining or reference can be used, the use of references is preferred when the relevant authorities are linked in communication. This is due to the fact that the references usually allow a greater escalation of the system since a super authority can be part of a large number of authentication requests during a particular period of time. Finally, in step 511, the selected authority authenticates the request as appropriate. As a result of authentication, when successful, the authentication authority can transmit a permission notice to the principal. It should be appreciated that the novel architecture and system of the exemplary embodiment disclosed herein allow for increased flexibility of authentication without an increase in system malfunction vulnerability. For example, in a trandicional system, where two different authorities A and B are trusted to authenticate the main "@ msn.com" and "© Microsoft. com", the authorities A and B must have a high administrative confidentiality among themselves, since that it is possible for an administrator of authority A to authenticate a principal that must only be authenticated by authority B and vice versa. In other words, the AQ authority will need to trust the administrators of authority B, as much as it trusts its own administrators, and in some cases, this is not possible. However, the exemplary system described here allows the authorities to share namespaces without having mutual administrative confidentiality. Each authority needs to have administrative confidentiality in the administrator of the super authority, which can be much more reliable, since the number, location and affiliation of the administrators of the super authority are typically more restricted than those of the normal authorities. Another beneficial result of the modalities of the invention is that the main ones can be moved through the boundaries of namespace without changing their identity, a single change in the catalog of identities of the super authority is all that is necessary to register a new copy of the identity of the principal for an authentication authority. It should be noted that an improved system and method for account authentication of a principal have been described. In view of the different possible modalities to which the principles of the invention may apply, it should be recognized that the modalities described herein with respect to the figures are intended to be illustrative and should not be considered as limiting the scope of the invention . For example, those skilled in the art will recognize that some elements of the illustrated modes shown in software can be implemented in hardware and vice versa or the illustrated modes can be modified in arrangements and details without departing from the spirit of the invention. Furthermore, it should be appreciated that the invention can be implemented in any appropriate network environment of any size and type. In addition, although the illustrations show a small number of principals, authorities and super authorities, the invention involves systems with greater or lesser number of these entities. Therefore, the invention as described herein, contemplates all these modalities since they fall within the scope of the following claims and equivalents thereof.

Claims (25)

  1. CLAIMS 1. A method for authenticating a principal in a network environment to obtain access to insured resources, characterized in that it comprises: receiving in an authority a registration request from the principal, wherein the registration request comprises an account identifier; transmit the account identifier from the receiving authority to a super authority for the identification of an authority that is authorized to authenticate the principal; and authenticating the principal at the receiving authority when the transmission is received at the receiving authority of the super authority that indicates that the receiving authority is authorized to authenticate the principal and refrain from authenticating the principal. 2. The method according to the rei indication 1, characterized in that the account identifier comprises a principal identifier and a name space identifier. 3. The method according to claim 1, characterized in that it further comprises: receiving in the receiving authority from the super authority an application to authenticate a second principal based on the registration request made by the second principal, wherein the request for The record made by the second principal was made by requesting the principal from another authority different from the receiving authority. 4. A control authority to identify the authentication authority to authenticate a principal to access the resources of the network, characterized in that it comprises: an identity catalog to copy at least one account ID of at least one principal in an identifier of a corresponding authentication authority; and an authority resolution module for accessing the identity catalog to match the account ID with a corresponding authentication authority and for triggering an authentication request to be directed to the corresponding authentication authority. 5. The control authority according to claim 4, characterized in that it further comprises a network interface for passing the account ID to the authority resolution module and for receiving from the authority resolution module an authentication request addressed to the corresponding authentication authority. The control authority according to claim 4, characterized in that the identity catalog copies a plurality of account IDs into a corresponding plurality of authentication authorities. 7. The control authority according to claim 6, characterized in that each account ID comprises a name space identifier and wherein the plurality of account IDs comprises at least two account IDs having an ID identifier. common namespace, wherein at least two account IDs are copied into at least two respective ones of the plurality of authentication authorities. 8. The control authority according to claim 6, characterized in that each account ID comprises a name space identifier, and wherein the plurality of account IDs comprises at least two account IDs having different identifiers of the same. namespace, wherein the at least two account IDs are copied therein from one of the plurality of authentication authorities. 9. The control authority according to claim 6, characterized in that the content of the identity catalog is based on at least part of an affiliation of organization of principals within an entity. 10. The control authority according to claim 6, characterized in that the content of the identity catalog is based at least in part on the geographical location of the main ones. 11. A method for controlling the authentication of principals to obtain access to network resources in a network environment, characterized in that it comprises: receiving a request for an authentication authority resolution from one of a plurality of authentication authorities, in where the request comprises an account ID of a principal to be authenticated; accessing an allocation copy of a plurality of account IDs to a corresponding plurality of authentication authorities and locating it within the copy of the account ID of the principal to be authenticated; locate within the copy an identity of the assigned authentication authority that is copied into the account ID of the principal to be authenticated; and causing the transmission of an authentication request to the assigned allocation authority, wherein the request asks the authentication authority to authenticate the principal to be authenticated. 12. The method according to claim 11, characterized in that each account ID comprises a name space identifier and wherein the plurality of account IDs comprises at least two account IDs having different namespace identifiers, wherein the at least two account IDs are copied thereto from one of the plurality of authentication authorities through an allocation copy. The method according to claim 11, characterized in that each account ID comprises a name space identifier, and wherein the plurality of account IDs comprises at least two account IDs having different namespace identifiers , wherein the at least two account IDs are copied thereon from one of the plurality of authentication authorities through an allocation copy. 14. The method according to claim 11, further comprising altering the allocation copy, whereby the account ID previously copied to a first authentication authority is copied back to a second authentication authority. 15. The method according to claim 11, characterized in that the allocation copy is based, at least in part, on the organization affiliation of principals within an entity. 16. The method according to claim 11, characterized in that the allocation copy is based, at least in part, on the geographical location of the main ones. 17. An apparatus for controlling the authentication of principals to obtain access to network resources in a network environment, characterized in that it comprises: means for receiving a request for an authentication authority resolution from one of a plurality of authentication authorities. authentication, wherein the request comprises an account ID of a principal to be authenticated; means for accessing an allocation copy of a plurality of account IDs to a corresponding plurality of authentication authorities and locating it within the copy of the account ID of the principal to be authenticated; means for placing within the copy an identity of the assigned authentication authority that is copied into the account ID of the principal to be authenticated; and means for causing the transmission of an authentication request to the assigned allocation authority, wherein the request asks the authentication authority to authenticate the principal to be authenticated. 18. The apparatus according to claim 17, characterized in that each account ID comprises a name space identifier and wherein the plurality of account IDs comprises at least two account IDs having different space identifiers. name, wherein the at least two account IDs are copied thereon from one of the plurality of authentication authorities through an assignment copy. 19. The apparatus according to claim 17, characterized in that each account ID comprises a name space identifier, and wherein the plurality of account IDs comprises at least two account IDs having different space identifiers. in name, wherein the at least two account IDs are copied therein from one of the plurality of authentication authorities through an assignment copy. 20. The apparatus according to claim 17, further comprising a means for altering the allocation copy, whereby the account ID previously copied to a first authentication authority is copied back to a second authentication authority. 21. A computer readable medium having computer executable instructions for carrying out a method for controlling authentication of principals to obtain access to network resources in a network environment, characterized in that it comprises: receiving a request for a resolution of authentication authority from one of a plurality of authentication authorities, wherein the request comprises an account ID of a principal to be authenticated; accessing an allocation copy of a plurality of account IDs to a corresponding plurality of authentication authorities and locating it within the copy of the account ID of the principal to be authenticated; locate within the copy an identity of the assigned authentication authority that is copied into the account ID of the principal to be authenticated; and causing the transmission of an authentication request to the assigned allocation authority, wherein the request asks the authentication authority to authenticate the principal to be authenticated. 22. The computer readable medium according to claim 21, characterized in that each account ID comprises a name space identifier and wherein the plurality of account IDs comprises at least two account IDs having different space identifiers. common name, wherein the at least two account IDs are copied therein from one of the plurality of authentication authorities through an allocation copy. 23. The computer-readable medium according to claim 21, characterized in that each account ID comprises a name space identifier, and wherein the plurality of account IDs comprise at least two account IDs having different identifiers of account. name spaces, wherein the at least two account IDs are copied therein from one of the plurality of authentication authorities through an allocation copy. 24. The computer-readable medium according to claim 21, characterized in that the allocation copy is based, at least in part, on the organization affiliation of the main entities within the entity. 25. The computer-readable medium according to claim 21, characterized in that the allocation copy is based, at least in part, on the geographical location of the main ones.
MXPA04007410A 2003-09-22 2004-07-30 Moving principals across security boundaries without service interruption. MXPA04007410A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/667,582 US7370195B2 (en) 2003-09-22 2003-09-22 Moving principals across security boundaries without service interruption

Publications (1)

Publication Number Publication Date
MXPA04007410A true MXPA04007410A (en) 2005-04-19

Family

ID=34194794

Family Applications (1)

Application Number Title Priority Date Filing Date
MXPA04007410A MXPA04007410A (en) 2003-09-22 2004-07-30 Moving principals across security boundaries without service interruption.

Country Status (10)

Country Link
US (3) US7370195B2 (en)
EP (1) EP1517510B1 (en)
JP (1) JP4558402B2 (en)
KR (1) KR101015354B1 (en)
CN (1) CN1601954B (en)
AU (1) AU2004203412B2 (en)
BR (1) BRPI0402910B1 (en)
CA (1) CA2476340C (en)
MX (1) MXPA04007410A (en)
RU (2) RU2348075C2 (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040236653A1 (en) * 2002-01-03 2004-11-25 Sokolic Jeremy N. System and method for associating identifiers with data
US7469417B2 (en) * 2003-06-17 2008-12-23 Electronic Data Systems Corporation Infrastructure method and system for authenticated dynamic security domain boundary extension
EP1883782B1 (en) * 2005-05-06 2014-10-15 Symantec International Token sharing system and method
US8155275B1 (en) 2006-04-03 2012-04-10 Verint Americas, Inc. Systems and methods for managing alarms from recorders
US8307404B2 (en) * 2007-04-16 2012-11-06 Microsoft Corporation Policy-management infrastructure
US7587718B1 (en) * 2008-10-31 2009-09-08 Synopsys, Inc. Method and apparatus for enforcing a resource-usage policy in a compute farm
US8561157B2 (en) 2011-09-23 2013-10-15 Canon U.S.A., Inc. Method, system, and computer-readable storage medium for establishing a login session
US9276932B2 (en) * 2013-11-07 2016-03-01 International Business Machines Corporation Federated identity mapping using delegated authorization
US10067949B1 (en) * 2013-12-23 2018-09-04 EMC IP Holding Company LLC Acquired namespace metadata service for controlling access to distributed file system
CA2895366C (en) 2014-06-23 2021-11-16 The Toronto-Dominion Bank Systems and methods for authenticating user identities in networked computer systems
CN106921555B (en) * 2015-12-24 2020-04-07 北京北信源软件股份有限公司 User account defining method for cross-network instant messaging
CN107797721B (en) * 2016-09-07 2020-10-09 腾讯科技(深圳)有限公司 Interface information display method and device
CN106407842B (en) * 2016-09-29 2019-06-14 恒大智慧科技有限公司 A kind of sign-off initiates user management method and equipment
US11941458B2 (en) * 2020-03-10 2024-03-26 Sk Hynix Nand Product Solutions Corp. Maintaining storage namespace identifiers for live virtualized execution environment migration
CN117642739A (en) * 2021-07-02 2024-03-01 株式会社电装 Routing device, management center device, user authentication method, and user authentication program

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5646534A (en) * 1995-01-06 1997-07-08 Chrysler Corporation Battery monitor for electric vehicles
US5875296A (en) 1997-01-28 1999-02-23 International Business Machines Corporation Distributed file system web server user authentication with cookies
US5908469A (en) * 1997-02-14 1999-06-01 International Business Machines Corporation Generic user authentication for network computers
US6446206B1 (en) * 1998-04-01 2002-09-03 Microsoft Corporation Method and system for access control of a message queue
US6324571B1 (en) * 1998-09-21 2001-11-27 Microsoft Corporation Floating single master operation
US6510236B1 (en) * 1998-12-11 2003-01-21 International Business Machines Corporation Authentication framework for managing authentication requests from multiple authentication devices
US6367009B1 (en) * 1998-12-17 2002-04-02 International Business Machines Corporation Extending SSL to a multi-tier environment using delegation of authentication and authority
RU2143728C1 (en) * 1998-12-30 1999-12-27 Щеглов Андрей Юрьевич Device for protection of virtual channel of internet which uses public communication lines and commutation equipment of public communication network
US6609198B1 (en) * 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
BR0013557A (en) 1999-08-25 2002-04-09 Du Pont Process for the preparation of poly (trimethylene terephthalate)
US6693876B1 (en) * 1999-08-31 2004-02-17 Worldcom, Inc. Selecting IPX/IGX nodes in a multi-domain environment
US7194764B2 (en) * 2000-07-10 2007-03-20 Oracle International Corporation User authentication
RU2183348C2 (en) * 2000-07-19 2002-06-10 Военный университет связи Object authentication method
US6912582B2 (en) * 2001-03-30 2005-06-28 Microsoft Corporation Service routing and web integration in a distributed multi-site user authentication system
US7185359B2 (en) * 2001-12-21 2007-02-27 Microsoft Corporation Authentication and authorization across autonomous network systems
US7221935B2 (en) 2002-02-28 2007-05-22 Telefonaktiebolaget Lm Ericsson (Publ) System, method and apparatus for federated single sign-on services
WO2003088571A1 (en) * 2002-04-12 2003-10-23 Karbon Systems, Llc System and method for secure wireless communications using pki
US20030233328A1 (en) * 2002-04-23 2003-12-18 Scott David A. Method and system for securely communicating data in a communications network
US20060005237A1 (en) * 2003-01-30 2006-01-05 Hiroshi Kobata Securing computer network communication using a proxy server
US20040177247A1 (en) * 2003-03-05 2004-09-09 Amir Peles Policy enforcement in dynamic networks

Also Published As

Publication number Publication date
US20080163348A1 (en) 2008-07-03
KR20050029677A (en) 2005-03-28
EP1517510B1 (en) 2014-06-25
BRPI0402910A (en) 2005-05-24
CA2476340C (en) 2014-02-11
US7814312B2 (en) 2010-10-12
JP2005100358A (en) 2005-04-14
CA2476340A1 (en) 2005-03-22
RU2348075C2 (en) 2009-02-27
US20080184343A1 (en) 2008-07-31
EP1517510A2 (en) 2005-03-23
RU2475837C2 (en) 2013-02-20
EP1517510A3 (en) 2008-01-16
AU2004203412A1 (en) 2005-04-21
US7779248B2 (en) 2010-08-17
CN1601954B (en) 2011-08-03
CN1601954A (en) 2005-03-30
BRPI0402910B1 (en) 2018-05-29
RU2008140652A (en) 2010-04-20
KR101015354B1 (en) 2011-02-16
US20050066160A1 (en) 2005-03-24
US7370195B2 (en) 2008-05-06
RU2004123581A (en) 2006-01-27
AU2004203412B2 (en) 2010-05-20
JP4558402B2 (en) 2010-10-06

Similar Documents

Publication Publication Date Title
US7779248B2 (en) Moving principals across security boundaries without service interruption
US7827598B2 (en) Grouped access control list actions
US7047560B2 (en) Credential authentication for mobile users
JP6426189B2 (en) System and method for biometric protocol standard
US8990896B2 (en) Extensible mechanism for securing objects using claims
US20070101400A1 (en) Method of providing secure access to computer resources
US20030177376A1 (en) Framework for maintaining information security in computer networks
WO2007048251A1 (en) Method of providing secure access to computer resources
US7428748B2 (en) Method and system for authentication in a business intelligence system
JP2001312466A (en) Mobile computer information management system
Dinesha et al. Evaluation of secure cloud transmission protocol
Wilson et al. CORBAmed Security White Paper
Encheva et al. Collaborative role management for sharing protected web resources
Bhatti et al. Evaluation of different Open Source Identity management Systems
Zeber et al. Managing Identity and Access in the Defence Environment
Von Glahn A distributed system architecture for handling sensitive information in the automated office (computer security, networks, privacy)
de Sales et al. INTERGIs-A proposal of an architecture for the integration of identity management systems
HK1230363B (en) System and method for biometric protocol standards

Legal Events

Date Code Title Description
FG Grant or registration